Uber data breach wrap-up. Experts’ opinions

On November 21, Uber officially disclosed a massive data breach. News broke that hackers had compromised the personal data of 57 million Uber’s customers and drivers worldwide in a cyberattack happened in October 2016. Stolen data included names, email addresses and phone numbers. The company paid the attackers $100,000 to delete the data and keep the breach a secret.
As a matter of fact, Uber concealed the data breach for more than a year.

To find the truth, we conducted a why-what-how investigation, reached out cybersecurity experts and asked them topical questions covering Uber data breach.

Why does Uber data breach matter?

The Uber’s data breach is obviously not a fuss about nothing, and the first question we asked is what the experts think about this case.

The attack was a criminal act and so was the cover up. Just because it happens in cyber space doesn’t lessen the seriousness of what happened. Just as important as the hack was the payment of ransom. It’s a very anti-community act because it encourages more criminal behavior. It’s also a desperate act with a very high risk of failure.

It is arguably morally incorrect and unacceptable in today’s world for an organization, particularly one as widely used as Uber, to not only delay reporting a data breach, but to actually attempt to cover it up! Come May 25th next year, the General Data Protection Regulation (GDPR) will mean that all organizations that deal with EU citizens’ data will need to report a breach within 72 hours or risk being fined up to 4% of their annual turnover. Considering that Uber’s revenue last year came to $6.5 billion, they’d be at risk of being fined $260 million.

Simon Townsend, Chief Technologist EMEA for Ivanti and an expert in GDPR best practices and endpoint security.

There is something deeply disturbing about the most recent, public, Uber breach.
… every business should consider these as lessons learned and not make the same mistakes. Just like a child, hopefully, they have learned not to touch a hot stove. They just plainly acted like irresponsible children.
The breach occurred due to a failure to secure credentials on a Github site used by engineers. This was then leveraged using stolen privileges to gain access to Amazon AWS instances that support Uber. An archive file was then compromised containing the data.

Morey Haber, Vice President of Technology at BeyondTrust, Office of the CTO.

While I suspect most will rest the blame squarely on Uber as a corporation and its well-known lack of leadership, it’s the choices made by the Chief Security Officer and one of his deputies that are the most shocking part of this data breach.
When you act as the front line of defense for an organization, it is imperative that your security team operates in the most honest and forthright manner possible.. While some might debate the morality of the decision to pay off the attackers, the lack of responsible disclosure in reporting the incident to regulators is something every security professional should consider to be an unforgivable crime.

A very important point here is that it’s not good that one of our own did this. We as security folks have an ethical responsibility. Without knowing the full details and/or hearing from them about this, it’s disturbing that this happened. I’d hope that there might have been conversations between the CSO and others in the leadership about what to do, who to notify etc… However, if this was an alone thing and not someone taking a fall, then it’s a shame it happened.

I was actually hacked but I didn’t find out from an e-mail from Uber. I read a story online about the hack that had a link to Uber’s website where I could check if my data had been compromised.
I found this pretty strange since obviously, I would want to know if my data has been hacked, why should I have to opt into this? Uber still hasn’t sent a single e-mail to drivers about the hack, instead relying on the media to disperse information to drivers which is even more worrying, since there may be many drivers out there that still don’t know their information has been compromised.

How did Uber data breach happen?

Although there are so many words about this incident, nobody knows exactly what happened.

In fact, a curious opinion exists. When hackers approached Uber and demanded the ransom, Uber agreed to the demands and performed a payout. In order to smooth the impact, Uber made it appear as a bug bounty program payout. However, it could be just a costly mistake and some misunderstanding inside a bug bounty program. The truth is out there…

Officials at Uber admitted to concealing a cyberattack that in October of 2016 affected 57 million people. Information that the hackers gained access to included names, email addresses, phone numbers, and in some cases, driver’s license numbers.
In an age where a new large-scale data breach breaks headlines every other week, this information is hardly surprising. What’s unprecedented is Uber’s response to the breach: paying the hackers $100,000 to delete the information and keep the breach quiet, in lieu of notifying its customers.

As far as we can tell from the publicly available data, the Uber developers had checked in their AWS credentials into GitHub, which the hackers were able to use to get to the user data. Both GitHub and AWS offer a number of security measures that companies should really make use of. From an SDLC perspective, it appears that these Uber developers didn’t have the peer-review process to prevent credentials from being committed into source code. Lastly, a big part of the shock and disappointment comes from the fact that Uber appears to have paid hush-money to keep this under-wraps for a full year.

Hacks against AWS and cloud systems are becoming more common as of late, which in itself is a concern. Attacking third party sources leveraged in conjunction with cloud services represents a challenge to security teams focused on keeping bad guys outside of internal resources. There is a problem here in that normal security tools and methods built for internal data centers do not have the same visibility in cloud environments where your systems and data are sharing a neighborhood (the internet and cloud apps) with millions and millions of other people, both good and bad.

Hackers got access to Uber’s private area on GitHub. There, they found credentials for Amazon Web Services account, where Uber handled computing tasks and achieved customer and driver data. So, the data leak is caused not by a 0-day vulnerability or advanced attack, but by the basic security negligence.

How to prevent cyberattacks and become cyber-protected?

The discussion leads us to the essential question, not only regarding this particular case. How can organizations defend themselves?

Github has been targeted for a long time through malware and phishing schemes. Code repos are a goldmine for hackers.
Organizations need to enforce the use of SSH keys and the separation of credentials and code and even separation of configuration, code and credentials. This separation reduces the attack surface and multiplies the number of system breaches necessary to effectively breach client data.

It could have been prevented by locking down access using an approach like a software-defined perimeter (SDP). Essentially, SDP isolates the user from accessing resources they aren’t entitled to see by leveraging multiple factors. It takes into consideration what the user is trying to do at the time they’re trying to do it. For example, in this case, the system could have required the hackers to present a one-time password before granting access to the server.

Companies should place high priority on understanding what sensitive data they have, where it exists, who is accessing/querying it, and why. This sounds very elementary on its surface, but the truth is that many companies have absolutely zero clue as to what sensitive information exists in their ecosystem or where due to the vast volume of data coming from so many sources in real time.

Organizations should practice using 2 factor authentication–which GitHub now provides. Enabling this feature adds an additional security layer which ensures that a hacker who has discovered your password, will not be able to log in to your account.

Companies should account the possibility of security failures and anticipate malicious behavior of any actors. Therefore, companies have to constantly monitor, evaluate and analyze behavior of all users and entities in their landscapes.
After all, 57 million users’ records download will not go unnoticed if you are monitoring user actions.

Michael Rakutko, Head of Professional Services at ERPScan, co-author of SAP Cybersecurity Framework.